Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Managing Risk in the Digital Age: Lessons and Tools

In this second of two interviews with Henry Ristuccia, partner, Deloitte & Touche LLP, and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited, he discusses what risk issues are on the minds of the C-suite and boards of directors and how new technologies are being applied in risk management. The first article discusses how executives can create value through effective risk management.

Q: What have we learned about risk management practices at the enterprise level since the depths of the financial crisis?

Henry Ristuccia: What has been learned is risk management programs need to have much more of an outside-in perspective, with objective data used for benchmarking and analysis of risks to an organization. Many financial institutions had risk programs in place, but their risk programs often didn’t evaluate objective data in the context of their business strategy. They were completely focused on what does the risk or the business unit head say about dimensions of the business model, such as how long home prices could continue to rise. Having and analyzing objective information in the context of the business model and strategy is critical. That’s why we are so focused on the opportunities and the risks of the digital age, including big data, and the need to be open to think about business models differently. Once that is done, the business strategy is validated or revisited in the context of risk, which would set the stage for making decisions about how to allocate capital and where to invest. If you are continually validating or, in some cases, enhancing the business strategy in the context of risk, you should be in a better position to make investment decisions accordingly.

The other major shortcoming in risk management before the financial crisis was that it wasn’t necessarily tied to the business strategy, and it often wasn’t driven by senior stakeholders in a proactive, interactive way. That’s one reason why the SEC in 2009 enhanced the proxy disclosure requirements for public companies on how the board oversees risk management. That’s also a reason why the Dodd-Frank Act requires risk committees for certain financial entities at a board level, which is saying boards need to be much more interactive and have much more say and visibility into how an organization is managing its risks.

Q: How is technology, including analytics, reshaping risk management practices?

Henry Ristuccia: Most of the management information reports and dashboards I see at the executive or board level are manually compiled, but the better ones are now using more visualization tools and are connecting more of the dots when it comes to different types of systems or analytics. Where we are seeing analytics play a significant role is in managing reputational risk. Reputation is not what the board or management thinks, but rather what the public and other outsiders think about an organization. We see more companies using analytical tools to mine information in the blogosphere, and study and make sense of it. Being able to pull data from the outside into the organization is where analytics has become very helpful. Companies can now listen to the public about what goods and services it wants, and what their customers and competitors are saying.

Organizations that excel at analytics start with a good risk framework that’s tied to the four high-level risk categories–strategic, operational, financial and compliance. They also have a good sense of what they want to measure and how they’re going to measure it, but it’s critical the C-suite and the board provide direction and have ongoing interaction with the risk professionals. The marketplace is demanding that organizations understand what those outside of it are thinking and saying and to think about risk management in a different way, as well as the activities and methods used to monitor and address risks.

Q: How have anti-fraud practices evolved in recent years, with respect to some of the newer risk management techniques?

Henry Ristuccia: There are generally two types of fraud. The first category includes the broader, management override types of fraud, which were the big events we saw in the marketplace in the pre-Sarbanes-Oxley (SOX) era. In the second category are fraudulent activities that are lower level or based upon a single individual. Both types of fraud need to be dealt with, but risk management programs should focus on the big picture issues, such as considerations around financial fraud or enterprise-wide ethics and corruption.

At the same time, companies have had to adopt important provisions that have made a difference, starting with SOX. There was so much early controversy around SOX, but for financial override and management override of financial reporting, I think it has evolved to achieve its objectives. More recently, we have the whistleblower provisions of Dodd-Frank, which cover all public companies, not just financial institutions. They basically created a bounty program for the SEC; if someone suspects fraud, they could get between 10% and 30% of any money collected in an SEC enforcement action where more than $1 million in sanctions is awarded. At the time the whistleblower provisions were enacted, a number of senior company stakeholders were concerned that it would trigger a lot of false negatives in terms of people just fishing for payouts. Instead, what Dodd-Frank did was introduce an objective and independent party and mechanism that could access the governance layer of an organization without necessarily involving management.

I would say since Dodd-Frank and the whistleblower provisions, some types of fraud have settled down a bit, including some higher-level frauds. Fraud is always going to be in the marketplace; it’s never going away. Now you’re seeing other countries around the world adopting similar whistleblower provisions, especially SOX-like ones, and I think that has helped counter some fraud.

Q: What are some of the pain points involving risk management you hear from the board members and senior management you meet with? What do they see as the big challenges?

Henry Ristuccia: There is a struggle with setting a common definition of risk—referred to by some as risk appetite—and relating that to their business. Some might have risk dashboards, but the dashboards may not capture the issues that the board or the senior stakeholders think are most critical. Some of the pain points that everybody seems to share involve vendors and supply chains as well as the “people” aspect of risk. Another common concern is future talent—where will the work force needed for the future come from, where are they going to be located, and how are organizations going to motivate them? As more sections of the U.S. economy move toward an innovative-type services economy, boards and senior executives are wondering where they are going to get the skilled workforce and what incentives and motivations will draw that skilled workforce to their companies, while accounting for generational differences. The risk pain points can vary, but across industries, those HR considerations are typically on the CEOs’ and boards’ short list of most critical risks.

Cyberrisks, hackers and denial of service, as well as reputational issues, are also worries shared by many C-suite executives and directors. Independent directors who sit on multiple boards at least have the benefit of being able to compare what other organizations are seeing and doing about their most critical pain points.

So risk management in today’s world boils down to three things: setting a common definition of risk, linking that definition and related thinking to the business strategy, and finally, identifying the short list of most critical risks—and keeping it up to date so that senior stakeholders can stay focused on them.

Related Deloitte Insights

Leaders are being continually put to the test in today’s volatile marketplace. More than 20 CEOs and other leaders who have survived and thrived in the face of risk, crisis and disruption were asked about building resilient muscle, and their views are captured in Deloitte’s Resilient podcast series. Learn key takeaways from these interviews about how effective leaders address risk-related challenges and identify value-creating opportunities in this article by Mike Kearney, partner, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, and Chris Ruggeri, Strategic and Reputation Risk leader, Deloitte Transactions and Business Analytics LLP.

Many colleges and universities may be taking a page from corporate playbooks in the wake of corruption and fraud allegations and rethinking how they manage regulatory and compliance risk exposure. Michele Roberts of the National Basketball Players Association comments on how educational institutions can enhance compliance. Pete Giorgio, leader of Deloitte’s Sports Consulting practice, and Rebecca Chasen, Tamika Tremaglio and Michael Brodsky of Deloitte Financial Advisory Services also share insights about compliance modernization, crisis management and using analytics to improve compliance efforts.

The ever-growing use—and misuse—of increasingly complex algorithms has elevated this technology risk to the board level. Algorithmic risk can adversely affect an organization in many ways, ranging from brand and reputation damage to financial and regulatory concerns. Boards should also recognize the positive impacts of algorithms and help guide organizations toward a risk-aware mindset to harness the power of algorithms effectively.

Views & Analysis

From a regulatory perspective, the lines between fintech and traditional financial institutions are starting to blur, bringing greater regulatory expectations, along with potential penalties and legal actions for noncompliance. Regardless of whether fintech companies decide to become a bank chartered institution, they can increase their potential for success by having solid risk management controls in place. That differentiation might open doors to market share and revenue growth, as well as provide a level of comfort to a variety of stakeholders.

Effective governance remains a top focus for U.S. banking sector regulators, with a strong emphasis placed on sustainability, accountability, holistic end-to-end views and conduct. Regulators have been assessing their rules, guidance and supervisory expectations with an eye toward improving the effectiveness of outcomes. As a part of this trend, the Federal Reserve Board is signaling a new age of governance and accountability through recent proposals on board effectiveness, a new rating system for large financial institutions and supervisory expectations for senior management, business line management and independent risk management and controls.

In 2018 banks are focused on becoming more strategically oriented, technologically modern and operationally agile. To do that they will have to address multiple challenges, including a restive customer base, regulations, legacy systems, disruptive models and technologies, new competitors, cyber risk and workforce transformation. Priorities and potential solutions will vary by business line. Scott Baret, vice chairman, U.S. Banking & Capital Markets leader, Deloitte & Touche LLP, discusses how these challenges are impacting retail and commercial banks, wealth management firms, and payments and capital markets businesses.

Editor's Choice

As chief risk officer of American Express, Paul Fabara is remaking compliance and risk management by driving the use of technology and data analysis, including development of an early-warning system to detect potential risks. He discusses how he has worked with the business units and board to carve out a new role for compliance and risk and how the functions have ramped up to contribute to decision-making at the operational and strategic levels, with Ash Raghavan, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

Nearly 40% of North American CFOs participating in Deloitte’s fourth-quarter 2017 CFO Signals™ survey say their company will take above-normal risks in pursuit of higher returns, up from 25% a year ago, and 63% say now is a good time to be taking on greater risk. Sanford Cockrell III, national managing partner of Deloitte’s U.S. CFO Program, notes that CFOs’ optimism about their own companies’ prospects rebounded to the third-highest level in the survey’s history. Still, some CFOs have some concerns about constraints to their organization’s performance, including talent challenges.

Developments in 2017 demonstrate the range and depth of the challenges facing boards. Perennial challenges include strategy, risk, compensation, shareholder engagement and regulatory uncertainty. Adding to the list are board composition, social responsibility, technology risk, culture risk and the combination of innovation and disruption. Learn more about what investors, regulators and other constituencies may expect boards to address in the year ahead.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.